JanaWare Ransomware Uses Adwind RAT to Target Turkish Users
Key Takeaways A new ransomware variant, JanaWare, is actively targeting users and small businesses in Turkey. The attack chain leverages a customized version of the Adwind Remote Access Trojan (RAT)...
Key Takeaways
- A new ransomware variant, JanaWare, is actively targeting users and small businesses in Turkey.
- The attack chain leverages a customized version of the Adwind Remote Access Trojan (RAT) for initial compromise and reconnaissance.
- Attackers use phishing and social engineering with localized lures to distribute the RAT, then selectively deploy JanaWare ransomware based on victim profiling.
- The campaign combines a well-known RAT with new ransomware logic and a targeted distribution model, posing a significant risk to Turkish users.
New JanaWare Ransomware Leverages Customized Adwind RAT to Target Turkish Users
Cybersecurity researchers have identified a new ransomware family, dubbed JanaWare, actively targeting computer users and small businesses in Turkey. This emerging threat distinguishes itself by employing a modified version of the Adwind Remote Access Trojan (RAT) to gain initial access and conduct reconnaissance on victim systems before deploying its encryption payload.
Table Of Content
The campaign exhibits a sophisticated blend of familiar tactics and novel elements. By integrating a widely recognized cross-platform RAT with fresh ransomware code and a distribution strategy specifically tailored for Turkish users, the threat actors create a potent and uniquely dangerous risk for individuals and small enterprises in the region.
Targeting Strategy and Initial Compromise
Analysis of the ongoing operation indicates a primary focus on individual users and small businesses. These entities often possess weaker security infrastructures, making them more susceptible to email-based attacks. The attack sequence typically commences with phishing or socially engineered messages designed to persuade victims into opening malicious attachments or clicking on malicious links. These lures are frequently disguised as routine documents or business-related files, presented in the Turkish language to enhance their credibility and effectiveness. Further details on this campaign can be found in a comprehensive security analysis.
Upon interaction with these deceptive elements, the customized Adwind RAT is surreptitiously installed on the victim’s machine. This grants the attacker remote control over the compromised system, setting the stage for subsequent phases of the attack. During this initial phase, files are not immediately encrypted. Instead, the RAT is utilized to survey the system, gather intelligence about the victim, and only download the JanaWare ransomware payload if the target is deemed valuable or sufficiently interesting by the attackers, as highlighted in the security analysis document.
Discovery and Technical Analysis by Acronis
Acronis threat analysts were the first to identify this JanaWare activity. Their monitoring of Adwind-based intrusions revealed unusual behavioral patterns on Turkish endpoints, prompting a deeper investigation. Telemetry data and sandbox analysis conducted by Acronis revealed that the Adwind samples involved in this campaign contained additional modules and post-exploitation scripts that deviated from previously documented versions of the RAT. According to an Acronis report, their researchers correlated network traffic, command-and-control (C2) instructions, and the final encryption routine, confirming that a new ransomware strain was being delivered via the customized Adwind infrastructure, rather than as a standalone binary.
Once JanaWare is deployed, its impact is immediate and evident: critical documents, archives, images, and databases are encrypted and renamed with a unique extension associated with the campaign. A ransom note is then dropped, clearly explaining the situation, warning that files cannot be recovered without the attacker’s decryption key, and providing instructions for victims to establish contact. In some observed instances, the ransom note includes local-language instructions and pricing, suggesting that the operators have conducted regional research to optimize their chances of receiving payment. This combination of targeted language, selective deployment, and robust encryption can lead to significant disruption for individuals and small organizations lacking robust backup and recovery processes.
Infection Mechanism and Customized Adwind Use
The JanaWare infection mechanism is heavily reliant on Adwind, though the version employed in these attacks features significant customizations that expand its capabilities beyond standard remote access. After a victim opens the initial malicious attachment, the Adwind loader utilizes obfuscated scripts and a multi-stage deployment process to evade detection by antivirus software. It then unpacks the RAT into memory and establishes persistence through various methods, including registry entries, scheduled tasks, or user-level startup configurations. Acronis researchers observed that this customized Adwind variant periodically communicates with its C2 server to retrieve updated configuration data, which includes instructions on whether and when to deploy the JanaWare ransomware module.
The infection chain illustrates how a malicious document initiates execution, passing control to a script loader. This loader then fetches the Adwind payload and establishes a communication channel back to the attackers. This architecture allows the threat actors to separate their phishing infrastructure from the core malware, enabling rapid rotation of lures while consistently reusing the same RAT and ransomware components. Consequently, security measures focused solely on blocking suspicious attachments may fail to detect later-stage traffic or payload delivery occurring through Adwind’s C2 channel, as detailed in the security analysis.
Once Adwind is active, it systematically collects system information, such as hostname, operating system version, installed software, and a list of user files and folders. This inventory is then transmitted back to the attacker for review and profiling. Based on this profile, the operators can selectively deploy JanaWare by instructing the RAT to download and execute the ransomware from a remote server, often utilizing encrypted or encoded channels to avoid detection. Before encryption commences, the ransomware process may attempt to disable local security tools, terminate backup-related services, and delete shadow copies to hinder recovery efforts without paying the ransom. Throughout these stages, both the RAT and the ransomware employ basic but effective detection-evasion techniques, such as using common process names, implementing anti-analysis checks, and demonstrating environment awareness to minimize their exposure to automated analysis systems.
What You Should Do
- Enhance Email Security: Implement robust email filtering solutions to block malicious attachments and links.
- Conduct User Awareness Training: Educate employees and users about the dangers of phishing and social engineering, especially regarding suspicious attachments and links in Turkish-language or business-themed emails.
- Implement Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying RAT behavior, suspicious C2 traffic, and unusual file encryption patterns to interrupt the attack chain.
- Maintain Regular Backups: Ensure critical data is regularly backed up to offline or immutable storage to facilitate recovery without paying a ransom.
- Patch and Update Systems: Keep operating systems, applications, and security software fully patched and up-to-date to mitigate known vulnerabilities.
- Monitor Remote Access Tools: Closely monitor the usage and traffic of any legitimate remote access tools to detect anomalous activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.